Good afternoon.
I'm a beginner in PHP programming, followed
some courses and have a theoretical knowledge about it. I've been hired now and been
given some 'basic' tasks. Coworkers here tell me that 'real world' code differs a bit
from what it is taught at University, in books and the like. I've been reading about
security and found out about SQL-injection. I also learned that the best way to avoid
them is using prepared statements and parameters
bounding.
So, I'd be very thankful if you could
give me your opinions or suggestions about the code below. Please, anything you have to
say will be very useful. Opinions about the logic of the code, about the structure,
about performance, about security... anything.
if (isset($_POST['username'])
&& isset($_POST['password']))
{
$dbaddress =
'myhost';
$dbuname = "database_user";
$dbpass =
"database_password";
$dbname = 'customers_db';
$r = new
mysqli($dbaddress, $dbuname, $dbpass, $dbname);
$q =
$r->prepare("SELECT * FROM users WHERE uAccessName = ? AND uAccessPass =
?");
$q->bind_param("ss", $user, $pass);
$user =
$_POST['username'];
$pass = $_POST['password'];
$q->execute();
$q->store_result();
if
($q->num_rows === 1)
// Do many many other things here
echo
"Access granted
";
else
echo "Access
denied
";
$q->close();
$r->close();
} else {
// Handle the case where the form sent no
data
}
Thanks
a lot.
No comments:
Post a Comment